What Law Firms MUST Know About Protecting Themselves And Their Clients From Cyber Attacks

On November 7, 2013, we hosted a breakfast seminar titled “Cyber Criminals Are Targeting Law firms”. Here are the cliff notes.

George Schultzel , FBI:

There are only 2 kinds of people.People who are about to be hacked; and those who’ll be hacked again.
It’s as simple as that – either you’ve already been hacked and don’t know it (because most firms do NOT have the capability to detect breaches, data thefts, etc.) or those that are actively being attacked by their competitors, criminals and foreign governments.

There are 3 types of assets you need to protect: Human, Intellectual Property and Financial Assets

Some recent FBI cases:

a law firm has $7 Million stolen, and they didn’t even know about it.

a group of 12-19 year olds was actively hacking D-list celebrities, just because they could.

Several law firms hired hackers to break into their competitors

LESSONS LEARNED:

90% of Zeus banking Trojan infections enter the network via email. You MUST invest in good spam filtering, network firewalls, and backups. And most importantly, keep a keen eye on your bank accounts.

When you invite the FBI into your office, they conduct their investigations very discreetly.

For nation-state attacks, with your approval, they will monitor the attacks. During criminal attacks, they will come in, forensically image the systems, and take evidence. They WILL protect client confidentiality. They will NOT fix or repair your systems.

What can you to do protect your business?

According to Maria Treglia, PBC, a division of HUB International, Businesses and Organizations have an obligation to keep people’s information private.

Your existing Malpractice or General Liability policies do NOT provide appropriate coverage for hacks and cyber-theft.

In a recent study conducted by NetDiligence,

Personally Identifiable Information (PII) was the most frequently exposed data (28.7% of breaches), followed closely by Protected Health Information (PHI) (27.2% of breaches).

Lost/Stolen Laptop/Devices were the most frequent cause of loss (20.7%), followed by Hackers (18.6%).

The median number of records lost was 1,000. The average number of records lost was 2.3 million. Claims submitted for this study ranged from $2,500 to $20 million. Typical claims, however, ranged from $25,000 to $400,000.

Raj Goel, CISSP discussed several law-firm related case studies. Why are you being attacked? Because the criminals know you have valuable assets – sensitive data on mergers, purchases, law suits, etc. And because most law firms have the “I’ll never get hacked mentality”.

Some recent cases:

A former employee of a Pittsburgh, PA law firm and her husband were sentenced for hacking into the law firm

China-based hackers broke into 7 different Canadian law firms to get insider info on the Potash Corp/BHP Billiton merger

A partner in a small law firm discovered he’d been hacked when the FBI knocked on his door.

According to the Wall Street Journal, Client Secrets Are At Risk as Hackers Target Law Firms